Research uncovers stark differences in security practices of experts, non-experts.

Share this story

With the non-stop stream of zero-day exploits, website breaches, and criminal hacking enterprises, it's not always easy to know how best to stay safe online. New research from Google highlights three of the most overlooked security practices among security amateurs—installing security updates promptly, using a password manager, and employing two-factor authentication.

The practices are distilled from a comparison of security practices followed by expert and non-expert computer users. A survey found stark discrepancies in the ways the two groups reported keeping themselves secure. Non security experts listed the top security practice as using antivirus software, followed by using strong passwords, changing passwords frequently, visiting only known websites, and not sharing personal information. Security experts, by contrast, listed the top practice as installing software updates, followed by using unique passwords, using two-factor authentication, choosing strong passwords, and using a password manager.

"Our results show that experts and non-experts follow different practices to protect their security online," the researchers wrote in a research paper being presented at this week's Symposium On Usable Privacy and Security. "The experts' practices are rated as good advice by experts, while those employed by non-experts received mix[ed] ratings from experts. Some non-expert practices were considered 'good' by experts (e.g., install antivirus software, use strong passwords); others were not (e.g. delete cookies, visit only known websites.)"

One likely reason explaining the divide over use of antivirus software is that security experts are more likely than non experts to use a non-Windows operating system. So while it may be tempting to interpret the results as showing experts think AV isn't an effective security measure, that's not automatically the case. The question posed to each group sought the top three things they did to protect their own security online. If experts are more likely to use an OS other than the highly targeted Windows OS, it stands to reason they would be less likely than non-experts to list using AV as one of the top ways they protect themselves.

Several of the other major differences aren't as easy to account for. Installing software updates, using password managers, and employing two-factor authentication are all top choices for experts while remaining much lower priorities for non users. The researchers wrote:

Our results find discrepancies between what security practices experts and non-experts follow. While most expert participants install updates, use a password manager, and use two-factor authentication, most non-expert participants use antivirus software, change passwords frequently, and visit only known websites. Non-expert participants reported being reluctant to promptly install software updates, perhaps due to lack of understanding of their effectiveness or bad past experiences caused by software updates. Though using them was considered good advice by experts, password managers were regarded with skepticism by non-experts, who instead preferred to remember passwords, partly because, as one participant said, “no one can hack my mind.” Other security advice, however, such as not clicking on links received from unknown people were known and followed by non-experts. More work has to be done on improving the limitations of security practices identified in this work which are used by experts but not by non-experts. Nevertheless, based on our findings, some promising security advice emerges: (1) install software updates, (2) use a password manager, and (3) use two-factor authentication for online accounts.

It stands to reason that if updates, password managers, and two-factor authentication are top priorities for security professionals, they should be top choices for amateurs as well. So the next time a security n00b asks what they should do to stay safe online, remember to emphasize one of these practices over the importance of changing passwords frequently or visiting only trusted sites.